[4.3.4] SendMovementUpdate - I tried to reverse it with OllyDBG

[demerda10]

Hello everyone!
I am trying to call SendMovementUpdate but I am not having much success. The address for the function (574380) I got from the dump thread (4.3.4).
I used OllyDBG to get the arguments of the function and I came down to this:

Code:

     "push 0x19FC30", // Hardcoded for now to match WoW's way of calling - Also tried "push 0", as it is in older expansions, but it doesn't work
     "push 0x19FC40" , // Hardcoded for now to match WoW's way of calling - Also tried "push 0", as it is in older expansions, but it doesn't work
     "push 0x7914",
     "push " + (uint)Environment.TickCount,
     "mov ecx, 0x" + PlayerPointer.ToString("X"),
     "call 0x00574380",
     "retn",

However, it crashes.
I am calling the same way WoW does (when I rotate the camera). Then, I compare the stack/registers when I call it, producing the same stack/registers.

ps: I have this function already working with 2.4.3 but it uses Player_Base_Address instead of Player_Pointer (as I called) in 4.3.4 which, I found to be Player.Base_Address + 0x100 (that Wow uses as an argument for the SendMovementFunction).

Here are the comparison of stack and registers:

a.png

b.png

What am I missing here? I've been going back and forth for the past 3 days but I'm stuck.

I tried to follow the code as deep as I could before it gives an exception, but it is so deep that I couldn't follow to address the problem.
Probably not helpful but it gives an exception here, when executing PUSHAD:

c.png

Thanks!

[realwarpten]

This is the full signature of that method (its real name is SendSimpleMoveMessage)

void __thiscall CMovementData_C__SendSimpleMoveMessage(CMovement_C *a1, int currentUpdateTime, unsigned int opcode, JamCliMovementStatus *movementStatus, JamMessage *a7)

CMovement_C lives at CGUnit_C+0x780

Code:

00000000 CGUnit_C        struc ; (sizeof=0x1268, align=0x4, mappedto_64)
00000000                                         ; XREF: __ZN9CGTooltip7SetUnitERKyiS1_i/r
00000000                                         ; CGPlayer_C/r
00000000 _               CGObject_C ?            ; XREF: CGTooltip::SetUnit(ulong long const&,int,ulong long const&,int)+35/r
00000000                                         ; CGTooltip::SetUnit(ulong long const&,int,ulong long const&,int)+12D/r ...
000000F8 m_descriptors   dd ?                    ; offset
000000FC m_some_guid     dd ?                    ; offset
00000100 m_mover         dd ?                    ; offset
00000104 gap5            dd ?
00000108 gap6            dd ?                    ; offset
0000010C gap7            dd ?
00000110 gap8            dd ?
00000114 gap9            dd ?
00000118 unitclass0      dd 410 dup(?)
00000780 m_activeMover   CMovement_C ?           ; <========================================
000008CC unitclass00     dd 13 dup(?)
00000900 data0           dd 7 dup(?)
0000091C m_creatureStats dd ?                    ; offset
00000920 m_creatureDisplayInfo dd ?
00000924 m_creatureDisplayInfoExtra dd ?         ; offset
00000928 m_creatureModelData dd ?                ; offset
0000092C m_creatureSoundData dd ?                ; offset
00000930 data111         dd ?                    ; offset
00000934 m_unitBloodLevelsRec dd ?               ; offset
... more data

JamCliMovementStatus is the movement update block sent in every movement packet (but each packet serializes it differently).
JamMessage is the base type for every jam packet.

Code:

void __thiscall CMovementData_C::SendSimpleMoveMessage(CMovement_C *a1, int currentUpdateTime, unsigned int opcode, JamCliMovementStatus *movementStatus, JamMessage *a7)
{
  CMoveSpline *v6; // eax

  if ( !(a1->m_movementShared.m_movementFlags & MOVEMENTFLAG_TRACKING_TARGET) )
  {
    if ( ((unsigned __int8)g_jam_CliPlayerMovement_has_flag_IsMoveACK[(opcode & 0x1E | ((opcode & 0x300 | ((opcode & 0x800 | (opcode >> 2) & 0x1000) >> 1)) >> 3)) >> 4] >> (((opcode & 0x1E | ((opcode & 0x300 | ((opcode & 0x800 | (opcode >> 2) & 0x1000) >> 1)) >> 3)) >> 1) & 7)) & 1
      || a1->m_unit->_.m_descriptors->OBJECT_FIELD_GUID.m_qword == CGUnit_C::m_activeMover.m_qword
      && ((v6 = a1->m_movementShared.m_spline) == 0
       || SLOBYTE(v6->m_splineFlags) < 0
       || (unsigned __int8)sub_571610(opcode)) )// AllowedOnSpline
    {
      CMovementData_C::FillInStatusUpdate(&a1->m_movementShared, opcode, currentUpdateTime, movementStatus);
      CMovement_C::SendMoveAckMessageInt(a1, currentUpdateTime, a7);
    }
  }
}

I don't think this is the function you want to call, but there you go.

[demerda10]

This is the full signature of that method (its real name is SendSimpleMoveMessage)

void __thiscall CMovementData_C__SendSimpleMoveMessage(CMovement_C *a1, int currentUpdateTime, unsigned int opcode, JamCliMovementStatus *movementStatus, JamMessage *a7)

CMovement_C lives at CGUnit_C+0x780

Code:

00000000 CGUnit_C        struc ; (sizeof=0x1268, align=0x4, mappedto_64)
00000000                                         ; XREF: __ZN9CGTooltip7SetUnitERKyiS1_i/r
00000000                                         ; CGPlayer_C/r
00000000 _               CGObject_C ?            ; XREF: CGTooltip::SetUnit(ulong long const&,int,ulong long const&,int)+35/r
00000000                                         ; CGTooltip::SetUnit(ulong long const&,int,ulong long const&,int)+12D/r ...
000000F8 m_descriptors   dd ?                    ; offset
000000FC m_some_guid     dd ?                    ; offset
00000100 m_mover         dd ?                    ; offset
00000104 gap5            dd ?
00000108 gap6            dd ?                    ; offset
0000010C gap7            dd ?
00000110 gap8            dd ?
00000114 gap9            dd ?
00000118 unitclass0      dd 410 dup(?)
00000780 m_activeMover   CMovement_C ?           ; <========================================
000008CC unitclass00     dd 13 dup(?)
00000900 data0           dd 7 dup(?)
0000091C m_creatureStats dd ?                    ; offset
00000920 m_creatureDisplayInfo dd ?
00000924 m_creatureDisplayInfoExtra dd ?         ; offset
00000928 m_creatureModelData dd ?                ; offset
0000092C m_creatureSoundData dd ?                ; offset
00000930 data111         dd ?                    ; offset
00000934 m_unitBloodLevelsRec dd ?               ; offset
... more data

JamCliMovementStatus is the movement update block sent in every movement packet (but each packet serializes it differently).
JamMessage is the base type for every jam packet.

Code:

void __thiscall CMovementData_C::SendSimpleMoveMessage(CMovement_C *a1, int currentUpdateTime, unsigned int opcode, JamCliMovementStatus *movementStatus, JamMessage *a7)
{
  CMoveSpline *v6; // eax

  if ( !(a1->m_movementShared.m_movementFlags & MOVEMENTFLAG_TRACKING_TARGET) )
  {
    if ( ((unsigned __int8)g_jam_CliPlayerMovement_has_flag_IsMoveACK[(opcode & 0x1E | ((opcode & 0x300 | ((opcode & 0x800 | (opcode >> 2) & 0x1000) >> 1)) >> 3)) >> 4] >> (((opcode & 0x1E | ((opcode & 0x300 | ((opcode & 0x800 | (opcode >> 2) & 0x1000) >> 1)) >> 3)) >> 1) & 7)) & 1
      || a1->m_unit->_.m_descriptors->OBJECT_FIELD_GUID.m_qword == CGUnit_C::m_activeMover.m_qword
      && ((v6 = a1->m_movementShared.m_spline) == 0
       || SLOBYTE(v6->m_splineFlags) < 0
       || (unsigned __int8)sub_571610(opcode)) )// AllowedOnSpline
    {
      CMovementData_C::FillInStatusUpdate(&a1->m_movementShared, opcode, currentUpdateTime, movementStatus);
      CMovement_C::SendMoveAckMessageInt(a1, currentUpdateTime, a7);
    }
  }
}

I don't think this is the function you want to call, but there you go.

Hi!
Thanks for the answer.
Indeed, that doesn't seem like the function I want to call.

I just need a function to update the position after a teleport.
The method that I am using for other versions works well, and it uses MSG_MOVE_SET_FACING 0xDA as the OPcode.

The functions that I am using for other versions are:
1.12.1 - 0x00600A30
2.4.3 - 0x0060D200

And they all have the same signature (at least I am able to use basically the same asm code).
Do you know what is the same function as those, but for 4.3.4 ??
If you have the address, I'll try to reverse it as well and see how its signature is.

Thanks for the help, appreciate it

edit: I managed to find another function (SendSetFacing or something) that does all the hard work for me as it just needs 2 arguments and it worked!

[garbled]

Hi!
Thanks for the answer.
Indeed, that doesn't seem like the function I want to call.

I just need a function to update the position after a teleport.
The method that I am using for other versions works well, and it uses MSG_MOVE_SET_FACING 0xDA as the OPcode.

The functions that I am using for other versions are:
1.12.1 - 0x00600A30
2.4.3 - 0x0060D200

And they all have the same signature (at least I am able to use basically the same asm code).
Do you know what is the same function as those, but for 4.3.4 ??
If you have the address, I'll try to reverse it as well and see how its signature is.

Thanks for the help, appreciate it

edit: I managed to find another function (SendSetFacing or something) that does all the hard work for me as it just needs 2 arguments and it worked!

Cany you share the {SendSetFacing or something) signature ? I need it for classic 1.13.5.35753